From f885408518b66453d3fbcc77faa2efb6261a76a7 Mon Sep 17 00:00:00 2001
From: Adit Sarfaty <asarfaty@vmware.com>
Date: Sun, 7 Jan 2018 14:08:41 +0200
Subject: [PATCH] NSX-v3: Inform FWaaS when a router interface is removed

In FWaaS v2, the firewall group is attached to router interface ports.
When the last interface is removed, the firewall status should be set to
inactive until addign a new port.

Change-Id: I20a7566d80fa011772066ecd076a303b0fb07f99
---
 vmware_nsx/plugins/nsx_v3/plugin.py                    |  5 +++++
 vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py |  4 ++++
 vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py | 10 ++++++++++
 3 files changed, 19 insertions(+)

diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py
index e79d38e7d6..6cb01e3c60 100644
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@@ -3894,6 +3894,11 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                       "%(net_id)s not found at the backend",
                       {'router_id': router_id,
                        'net_id': subnet['network_id']})
+
+        # inform the FWaaS that interface port was removed
+        if self.fwaas_callbacks:
+            self.fwaas_callbacks.delete_port(context, port_id)
+
         info = super(NsxV3Plugin, self).remove_router_interface(
             context, router_id, interface_info)
         if not cfg.CONF.nsx_v3.native_dhcp_metadata:
diff --git a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py
index 8c794be3fd..3c091b599c 100644
--- a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py
+++ b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py
@@ -95,3 +95,7 @@ class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks):
 
         # Also update the router tags
         self.internal_driver.update_nsx_router_tags(nsx_router_id, fw_id=fw_id)
+
+    def delete_port(self, context, port_id):
+        # nothing to do in FWaaS v1
+        pass
diff --git a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py
index 5951a45f55..f5b669603d 100644
--- a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py
+++ b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py
@@ -15,6 +15,8 @@
 
 from oslo_log import log as logging
 
+from neutron_lib import constants as nl_constants
+
 from vmware_nsx.db import db as nsx_db
 from vmware_nsx.extensions import projectpluginmap
 from vmware_nsx.services.fwaas.common import fwaas_callbacks_v2 as \
@@ -98,3 +100,11 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
 
         # update the backend router firewall
         nsxlib.firewall_section.update(section_id, rules=fw_rules)
+
+    def delete_port(self, context, port_id):
+        # Mark the FW group as inactive if this is the last port
+        fwg = self.get_port_fwg(context, port_id)
+        if (fwg and fwg.get('status') == nl_constants.ACTIVE and
+            len(fwg.get('ports', [])) <= 1):
+            self.fwplugin_rpc.set_firewall_group_status(
+                context, fwg['id'], nl_constants.INACTIVE)